Folks, I'm working on tools to automatically generate SELinux policy for Linear Assured Pipelines, that is, verifiably tamper-proof and non-bypassable information transfer between two information domains, e.g., moving files reliably from one network to another, with filtering along the way. tl;dr: https://github.com/PeterWhittaker/LinearAssuredPipeline may be of interest to you, if you do any work with using SELinux to define Linear Assured Pipelines. The basic approach is to: 1. Define a pipeline in YAML, and verify that the pipeline definition is correct according to a schema document, also written in YAML (I'm using Yamale for schema validation). I got this part going this past week. 2. Use the pipeline YAML to automatically generate SELinux policy statements. This is most of my plate for next week and until it's done. One of the motivations for doing this is that the basic TE statements used for the transition between any two elements in the pipeline is the same: N can read from N-1 and write to N+1, and no one else can. If the filters use folders to move files along, then only N-1 can write to N's folder and only N can read and delete from it, and only N can write to N+1's folders, etc. There is a lot of repetition, with only the specific types changing from step to step. (I've done step 2 before by hand, which is why I am working on doing it differently this time. It is a lot of work, and error-prone). The other motivation is to ensure that the pipeline itself is clearly and cleanly and correctly specified before writing any policy statements - and there is place in the schema for canexec-style statements if a filter needs helpers along the way: Capture in the high-level YAML file the general structure of the pipeline and any per-step exceptions, validate of all that, then generate SELinux policy from something you're pretty sure is already correct. If the generation code is correct, the policy should be correct. Feel free to check out the repo, poke around, ask any questions, open issues, fix stuff.... Thanks all, have fantastic weekends, P Peter Whittaker EdgeKeep Inc. www.edgekeep.com +1 613 864 5337 +1 613 864 KEEP
